watchdog: ziirave_wdt: check record length in ziirave_firm_verify()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The "rec->len" value comes from the firmware. We generally do
trust firmware, but it's always better to double check. If
the length value is too large it would lead to memory corruption
when we set "data[i] = ret;"

Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>

authored by

Dan Carpenter and committed by

Wim Van Sebroeck 8 months ago 8b61d8ca d7b8f8e2

1 changed file

expand all

drivers

watchdog

ziirave_wdt.c

drivers/watchdog/ziirave_wdt.c

··· 302 302 const u16 len = be16_to_cpu(rec->len); 303 303 const u32 addr = be32_to_cpu(rec->addr); 304 304 305 + if (len > sizeof(data)) 306 + return -EINVAL; 307 + 305 308 if (ziirave_firm_addr_readonly(addr)) 306 309 continue; 307 310